Mishandling of special characters leads to keyword collisions and variable overrides

[P3ngu1nW]

env

python 3.9

details

When the keyword inside the json string contains illegal escape characters (such as \m in '{"na\\me": "test"}'), json5.loads will remove \ and the result will be {"name": "test"}. This problem does not exist when the keyword inside the json string contains a legal escape character. For example, json5.loads('{"tes\\t": "1"}') results in {"tes\t ": "1"} In python's built-in function JSON, on the other hand, will not allow the existence of illegal escape characters and report errors This problem can lead to a number of security issues such as keyword collisions and variable overrides. For example, when I read '{"name": "1", "na\\me": "2 "}', json5.loads results in {"name": "2"}, which is dangerous.

[dpranke]

Yikes, good catch. I'll try to get a fix for this ASAP.

[P3ngu1nW]

Thanks for your early reply!

So could you assign me a CVE number?

[dpranke]

That's a good question. I know nothing about the CVE process, but I'll look into it. I'm not seeing how this bug could be used as an attack; is there something you have in mind?

[dpranke]

In looking at this further (and in looking at #70), I've realized that this isn't actually a bug. JSON5, following Javascript, is specified to pass unrecognized escape characters through. So, '\m' is treated the same as 'm'. Regular JSON does not allow this.

So, I'm closing this as not a bug. Please comment if you have any thoughts or questions on this.